Mobile Computing Device feature Threats, Vulnerabilities and feature Risk Factors Are Ubiquitous Mobile computing devices (i.e., laptops, tablets security-specific features, and avoiding supply and smart phones) can cause serious harm to chains that provide compromised or unsecure Do you have organizations and to device owners, their friends and mobile devices. something families, because mobile devices are far less secure to say about than desktops and laptops. The Verizon 2015 Data If a mobile device has an attachment to read credit this article? 1 Breach Investigations Report states that there are cards, it, too, can be compromised by a technique Visit the Journal 4 tens of millions of mobile devices. And, according known as skimming. A smartphone can perform pages of the ISACA to Statista,2 there will be 4.77 billion mobile phone surveillance via its audio, camera and Global web site (www.isaca. users in 2017 and 1.15 billion tablets in use in Positioning System (GPS) capabilities, as well as org/journal),find the 2016.3 As the number of mobile computing devices recording call logs, contact information and Short article and click on increases, so do mobile security concerns. There Message Service (SMS) messages. Mobile computer the Comments link to are already many existing and new threats related to devices can cause financial problems because, share your thoughts. mobile devices. if compromised, they can send premium SMS messages, steal transaction authentication numbers, This article discusses the actors, threats, allow extortion via ransomware and make expensive vulnerabilities and risk associated with mobile calls without the device owner’s knowledge. A computing devices and highlights the device can even be hijacked and turned into a pervasiveness of security and privacy problems distributed denial-of-service (DDoS) bot, making it and issues. harder for organizations to detect and prevent such DDoS attempts. Actors App-based threats include malware, spyware, The actors (aka threat vectors) include the device itself, vulnerable apps, compromised apps and data/ the applications (apps) on the device, compromised information leakage due to poor programming web sites, wireless data connections, other users and practices. The types of app attacks include: organizations, the organization to which the device Larry G. user belongs, and the service providers. • Disabling or circumventing security settings Wlosinski, CISA, CISM, CRISC, CAP, • Unlocking or modifying device features Mobile Computing Device Threats CBCP, CCSP, CDP, • Apps that were obtained (free or purchased), but CISSP, ITIL v3 Newly purchased mobile devices can be configured contained malicious code Is a senior associate insecurely. Devices can contain the original at the Veris Group LLC vulnerable operating system (OS) that has not Examples of malware capabilities include: and has more than 16 been updated to eliminate known vulnerabilities. years of experience in • Listening to actual phone calls as they happen IT security. Wlosinski If a device does not require some type of access has been a speaker controls such as a personal identification number • Secretly reading SMS texts, capturing call logs on a variety of IT (PIN) or fingerprint, it is ripe for unauthorized use and emails security topics at by anyone who has access to it. There are many US government • Listening to the phone surroundings (device is types of malware that can provide people with and professional used as a remote bugging device) malicious intent the ability to obtain sensitive data conferences and stored on a device. Protecting data can be more • Viewing the phone’s GPS location meetings, and has of a problem if one makes the mistake of loading written numerous • Forwarding all email correspondence to articles for professional sensitive organizational information on it. Users need another inbox magazines and to be aware that they are responsible for protecting newspapers. the device, preventing physical tampering, setting • Remotely controlling all phone functions via SMS ISACA JOURNAL VOL 4 1 • Accepting or rejecting communication based on • Exploiting Social Media Accounts—Using Enjoying predetermined lists shortened malicious web site names (to describe one example) this article? • Evading detection during operation Your own organization’s network infrastructure can • Read Security A compromised web site can be a danger to be a threat. Used maliciously, a wireless network can Mobile Devices everyone’s information. It can be the source of pose threats such as: Using COBIT® 5 phishing scams, drive-by downloads of malware and for Information browser exploits. Wi-Fi via free hotspots can provide • Providing a means for unauthorized access Security. criminals the means to obtain banking access and • Permitting or promoting the installation of malware www.isaca.org/ financial account information. These web sites securing-mobile- can be used to obtain personal data about device • Permitting the loss of data integrity of the system devices owners, their families and friends, and the places and associated databases they work. Vulnerabilities to avoid include keeping • Spreading compromised apps • Learn more about, a Wi-Fi connection enabled at all times, not using discuss and or enabling a device firewall, browsing unencrypted • Acting as the source of insecure coding collaborate on web sites, failing to update security software, and • Permitting eavesdropping, data interception, voice/ mobile computing not securing home Wi-Fi. in the Knowledge data collection, drive-by downloads, location Center. tracking (via GPS) and behavior tracking Data communications via a personal or company www.isaca.org/topic- network can also be a nonsecure means of mobile-computing An Internet service provider (ISP) can also be communications. The communication problems a threat to individuals and organizations. The include video, audio and data that can be collected ISP gathers and stores device location; device over the air by an insecure network. There are many ownership information; application usage behavior; types of network exploits including Wi-Fi sniffing, email routing/forwarding information; information manipulation of data in transit, data exposure about purchased music, movies, TV shows, apps through radio frequency (RF) emission, connection and books; and sensitive internal reports. All of this to an untrusted service, signal jamming and flooding, information can be stored in the cloud for years. and monitoring a GPS/geolocation. All of these threats need to be avoided. Other information that can be kept in the cloud for a long time includes: photos and videos; personal User-based threats include: social engineering, contact information, calendar events, reminders inadvertently (or intentionally) releasing classified and notes; device settings; application data; Adobe information, theft and/or misuse of device and app PDFs; books added to an order list; call history; services, and malicious insiders who steal devices home screen and application organization; text for their own purposes or for someone else. and email messages; ringtones; home system security settings (HomeKit5 data ); personal health Social engineering can be accomplished by: information (HealthKit6 data ); and voicemail. • Phishing—Masquerading as a trustworthy entity Vulnerabilities • Vishing—Tricking a victim into calling a phone Mobile computing device vulnerabilities exist in number and revealing sensitive information the device itself, the wireless connection, a user’s • Smishing—Tricking someone via messaging into personal practices, the organization’s infrastructure downloading malware onto their mobile device and wireless peripherals (e.g., printers, keyboard, 2 ISACA JOURNAL VOL 4 mouse), which contain software, an OS and a data sensitive correspondence. The lack of encrypted storage device. communication can allow malware to access the network and propagate Trojans and viruses throughout If not secured by encryption, wireless networks the organization. More serious is the fact that it can often pass sensitive information in the clear that allow intrusion into the enterprise, which can then can do harm to individuals and/or organizations. compromise the entire organization. Remember that Unintentionally released sensitive data can not a VPN connection requires authentication—a critical only affect the organization’s reputation and the protective control—to permit network access. lives of those affected, but can also be the cause of legal action. Wireless communications can carry and install malware on any computing device configured to receive it. This malware can cause If not secured by encryption, data corruption, data leakage, and the unavailability of services and functionality. Personal privacy can wireless networks often pass also be affected if the audio (e.g., Bluetooth) and video/picture communication (e.g., device camera) sensitive information in the clear are intercepted and used with malicious intent. The that can do harm to individuals wireless protection provided by an organization will work only if a user is in the organization’s network and/or organizations. perimeter where the security controls are in place. Unencrypted organization, customer and employee information stored on the computing device can Application Vulnerabilities inadvertently be made available to others if someone Other vulnerable components of the mobile intercepts it while in transit or if the device is stolen computing device environment